The Steam online gaming community is being targeted once again by those wielding malware, this time using a fake version of the Razer Comms voice chat service for PC gamers.
Malwarebytes has discovered a faux Steam Community URL (steamccommynity(dot)com), which in and of itself is sadly not that unusual. However, the page replicates the Razer Comms website instead of offering phishing links masquerading as click-throughs to various in-game items for Steam offerings (the most typical bad-guy move on the site).
“The site functions in a similar fashion to the real [Razer Comms site], along with linking to the (legit) mobile app on the Google Play store,” said Malwarebytes researcher Christopher Boyd, in a blog. “Clicking the Windows download button however will serve potential victims a bogus file instead of the actual Razer Comms executable.”
The file is not quite ready for primetime, and contains a lot of errors that prevents it from carrying out its spyware mission, he noted.
“We didn’t see any data being stolen during testing—most likely due to the errors—but that doesn’t mean a more reliable file won’t replace it at some point down the line,” Boyd said.
He added that it’s a bit of a jumbled, Frankenstein-like mess. There are “some bits and pieces of code” in the malware that can also be found in a similar file associated with password theft on VirusTotal. And, there's also a reference to a URL which leads to a login page for something unrelated, called “Steam Fishing [sic] Tools.”
He was also able to trace the malware authors back to a Russian gaming portal, where they are offering a full slate of hacking services (though this file wouldn’t seem to be a good advertisement for quality). Offerings include “downloading all logs in the temp txt file,” “issuing additional accounts for the spammer,” “fake geolocation,” “selection of languages,” “ban protection” in relation to using Google Chrome and the potential for “Kriptovat virus.”
Also of interest is the payment structure: The group wants 1,000 WMR per week for their services, or 3,500 for a month.
“WMR appears to be a form of secure online payment, though I’m not familiar with it at all and hesitate to give an equivalent total to the kind of real world money you’d hide under the bed,” said Boyd.
Boyd noted that this is the first time something like a gaming chat package has been used as a lure, and that most scammers target Steam accounts through the community trading pages with phishing links as noted above, or malware downloads.
“In most cases that we see, the name of the game is luring the victim outside of the trade system window,” he said. “If you’re being sent links to ‘previews’ of items in Steam chat by strangers who started messaging you ten minutes ago? You may be on your way to a bad day. Whether we’re dealing with links to executables, so-called pictures of in-game items which turn out to be .scr files, login pages asking you for credentials and/or uploads of your SSFN, you should do your very best to avoid them all.”
Gamers would do well to heed the advice, as Steam is a popular target—recently malware-pushers were using the portal’s built-in instant messaging capability to spread bad code.